Fossil SCM

Moved the stunnel proxying docs from www/ssl.wiki to a new document www/server/any/stunnel.md, and pointed www/server.wiki at it. Also replaced some similar material in this branch's new www/server/windows/stunnel.md file at this generic document. Between these two changes, the generic stunnel docs now cover the reverse proxying option for the first time. (The old version used the socket activation method exclusively.) The new document also gives a more realistic configuration, showing Let's Encrypt paths and a sensible ciphersuite configuration.

wyoung 2019-08-16 09:54 server-docs
Commit 53b2e866e1632ad000c2e87e37c453a590acd4eba968c32287545e688dd0a2e0
Parent 2baa8151d7d79e3…
4 files changed +2 -2 +23 +8 -14 +1 -26
~ www/server.wiki + www/server/any/stunnel.md ~ www/server/windows/stunnel.md ~ www/ssl.wiki
M www/server.wiki
+2 -2
--- www/server.wiki
+++ www/server.wiki
@@ -73,11 +73,11 @@
7373
 <tr>
7474
 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Any</th>
7575
 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
7676
 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
7777
 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
78
- <td style="text-align: center"><a href="./ssl.wiki#stunnel">✅</a></td>
78
+ <td style="text-align: center"><a href="./server/any/stunnel.md">✅</a></td>
7979
 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
8080
 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
8181
 <td style="text-align: center">❌</td>
8282
 <td style="text-align: center">❌</td>
8383
 <td style="text-align: center">❌</td>
@@ -87,11 +87,11 @@
8787
 <tr>
8888
 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Debian/Ubuntu</th>
8989
 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
9090
 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
9191
 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
92
- <td style="text-align: center"><a href="./ssl.wiki#stunnel">✅</a></td>
92
+ <td style="text-align: center"><a href="./server/any/stunnel.md">✅</a></td>
9393
 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
9494
 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
9595
 <td style="text-align: center"><a href="./server/debian/nginx.md">✅</a></td>
9696
 <td style="text-align: center">❌</td>
9797
 <td style="text-align: center">❌</td>
9898
9999
ADDED www/server/any/stunnel.md
--- www/server.wiki
+++ www/server.wiki
@@ -73,11 +73,11 @@
73 <tr>
74 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Any</th>
75 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
76 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
77 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
78 <td style="text-align: center"><a href="./ssl.wiki#stunnel">✅</a></td>
79 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
80 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
81 <td style="text-align: center">❌</td>
82 <td style="text-align: center">❌</td>
83 <td style="text-align: center">❌</td>
@@ -87,11 +87,11 @@
87 <tr>
88 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Debian/Ubuntu</th>
89 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
90 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
91 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
92 <td style="text-align: center"><a href="./ssl.wiki#stunnel">✅</a></td>
93 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
94 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
95 <td style="text-align: center"><a href="./server/debian/nginx.md">✅</a></td>
96 <td style="text-align: center">❌</td>
97 <td style="text-align: center">❌</td>
98
99 DDED www/server/any/stunnel.md
--- www/server.wiki
+++ www/server.wiki
@@ -73,11 +73,11 @@
73 <tr>
74 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Any</th>
75 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
76 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
77 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
78 <td style="text-align: center"><a href="./server/any/stunnel.md">✅</a></td>
79 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
80 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
81 <td style="text-align: center">❌</td>
82 <td style="text-align: center">❌</td>
83 <td style="text-align: center">❌</td>
@@ -87,11 +87,11 @@
87 <tr>
88 <th style="background-color: #e8e8e8; padding: 6px; text-align: right">Debian/Ubuntu</th>
89 <td style="text-align: center"><a href="./server/any/none.md">✅</a></td>
90 <td style="text-align: center"><a href="./server/any/inetd.md">✅</a></td>
91 <td style="text-align: center"><a href="./server/any/xinetd.md">✅</a></td>
92 <td style="text-align: center"><a href="./server/any/stunnel.md">✅</a></td>
93 <td style="text-align: center"><a href="./server/any/cgi.md">✅</a></td>
94 <td style="text-align: center"><a href="./server/any/scgi.md">✅</a></td>
95 <td style="text-align: center"><a href="./server/debian/nginx.md">✅</a></td>
96 <td style="text-align: center">❌</td>
97 <td style="text-align: center">❌</td>
98
99 DDED www/server/any/stunnel.md
A www/server/any/stunnel.md
+23
--- a/www/server/any/stunnel.md
+++ b/www/server/any/stunnel.md
@@ -0,0 +1,23 @@
1
+# Serving via stunnel
2
+
3
+[`stunnel`](https://www.stunnel.org/) is a TLS/SSL proxy for programs
4
+that themselves serve only via HTTP, such as Fossil. (Fossil *can* speak
5
+HTTPS, but only as a client.) `stunnel` decodes the HTTPS data from the
6
+outside world as HTTP before passing it to Fossil, and it encodes the
7
+HTTP replies from Fossil as HTTPS before sending them to the remote host
8
+that made the request.
9
+
10
+You can run `stunnel` in one of two modes: socket activation — much like
11
+in our [`inetd` doc](./inetd.md) — and as an HTTP reverse proxy. We’ll
12
+cover both cases here, separately.
13
+
14
+
15
+## Sly.
16
+
17
+
18
+## S<a name="sa"></a>ocket Activation
19
+
20
+The following `stunnel.conf` configuration configures activation mode, launching Fossiactivation-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AESactivation = CIPHER_SERVER_PREFERENCE
21
+```
22
+
23
+This configuration shows the TLS certificate generate
--- a/www/server/any/stunnel.md
+++ b/www/server/any/stunnel.md
@@ -0,0 +1,23 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
--- a/www/server/any/stunnel.md
+++ b/www/server/any/stunnel.md
@@ -0,0 +1,23 @@
1 # Serving via stunnel
2
3 [`stunnel`](https://www.stunnel.org/) is a TLS/SSL proxy for programs
4 that themselves serve only via HTTP, such as Fossil. (Fossil *can* speak
5 HTTPS, but only as a client.) `stunnel` decodes the HTTPS data from the
6 outside world as HTTP before passing it to Fossil, and it encodes the
7 HTTP replies from Fossil as HTTPS before sending them to the remote host
8 that made the request.
9
10 You can run `stunnel` in one of two modes: socket activation — much like
11 in our [`inetd` doc](./inetd.md) — and as an HTTP reverse proxy. We’ll
12 cover both cases here, separately.
13
14
15 ## Sly.
16
17
18 ## S<a name="sa"></a>ocket Activation
19
20 The following `stunnel.conf` configuration configures activation mode, launching Fossiactivation-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AESactivation = CIPHER_SERVER_PREFERENCE
21 ```
22
23 This configuration shows the TLS certificate generate
M www/server/windows/stunnel.md
+8 -14
--- www/server/windows/stunnel.md
+++ www/server/windows/stunnel.md
@@ -25,16 +25,16 @@
2525
 to change the command to install the Fossil Service to configure it properly for
2626
 use with stunnel as an https proxy. Run the following instead:
2727
2828
 ```PowerShell
2929
 New-Service -Name fossil-secure -DisplayName fossil-secure -BinaryPathName '"C:\Program Files (x86)\FossilSCM\fossil.exe"
30
-server --localhost --port 8080 --https --repolist "D:/Path/to/Repos"' -StartupType Automatic
30
+server --localhost --port 9000 --https --repolist "D:/Path/to/Repos"' -StartupType Automatic
3131
3232
 ```
3333
3434
 The use of `--localhost` means Fossil will only listen for traffic on the local
35
-host on the designated port - 8080 in this case - and will not respond to
35
+host on the designated port - 9000 in this case - and will not respond to
3636
 network traffic. Using `--https` will tell Fossil to generate HTTPS URLs rather
3737
 than HTTP ones.
3838
3939
 `New-Service` does not automatically start a service on install, so you will
4040
 need to enter the following to avoid rebooting the server:
@@ -113,22 +113,16 @@
113113
 Now move `fossil-scm.key` and `fossil-scm.pem` to your stunnel config directory
114114
 (by default this should be located at `\Program Files (x86)\stunne\config`).
115115
116116
 ## stunnel Configuration
117117
118
-Next, open up the `stunnel.conf` file located at `\Program Files (x86)\stunnel\config`
119
-and add the below section.
120
-
121
-```dosini
122
-; proxy to fossil-scm service
123
-[fossil]
124
-accept = 443
125
-connect = 8080
126
-cert = fossil-scm.pem
127
-key = fossil-scm.key
128
-TIMEOUTclose = 0
129
-```
118
+Use the reverse proxy configuration given in the generic [Serving via
119
+stunnel document](../any/stunnel.md#proxy). On Windows, the
120
+`stunnel.conf` file is located at `\Program Files (x86)\stunnel\config`.
121
+
122
+You will need to modify it to point at the PEM and key files generated
123
+above.
130124
131125
 After completing the above configuration restart the stunnel service in Windows
132126
 with the following:
133127
134128
 ```PowerShell
135129
--- www/server/windows/stunnel.md
+++ www/server/windows/stunnel.md
@@ -25,16 +25,16 @@
25 to change the command to install the Fossil Service to configure it properly for
26 use with stunnel as an https proxy. Run the following instead:
27
28 ```PowerShell
29 New-Service -Name fossil-secure -DisplayName fossil-secure -BinaryPathName '"C:\Program Files (x86)\FossilSCM\fossil.exe"
30 server --localhost --port 8080 --https --repolist "D:/Path/to/Repos"' -StartupType Automatic
31
32 ```
33
34 The use of `--localhost` means Fossil will only listen for traffic on the local
35 host on the designated port - 8080 in this case - and will not respond to
36 network traffic. Using `--https` will tell Fossil to generate HTTPS URLs rather
37 than HTTP ones.
38
39 `New-Service` does not automatically start a service on install, so you will
40 need to enter the following to avoid rebooting the server:
@@ -113,22 +113,16 @@
113 Now move `fossil-scm.key` and `fossil-scm.pem` to your stunnel config directory
114 (by default this should be located at `\Program Files (x86)\stunne\config`).
115
116 ## stunnel Configuration
117
118 Next, open up the `stunnel.conf` file located at `\Program Files (x86)\stunnel\config`
119 and add the below section.
120
121 ```dosini
122 ; proxy to fossil-scm service
123 [fossil]
124 accept = 443
125 connect = 8080
126 cert = fossil-scm.pem
127 key = fossil-scm.key
128 TIMEOUTclose = 0
129 ```
130
131 After completing the above configuration restart the stunnel service in Windows
132 with the following:
133
134 ```PowerShell
135
--- www/server/windows/stunnel.md
+++ www/server/windows/stunnel.md
@@ -25,16 +25,16 @@
25 to change the command to install the Fossil Service to configure it properly for
26 use with stunnel as an https proxy. Run the following instead:
27
28 ```PowerShell
29 New-Service -Name fossil-secure -DisplayName fossil-secure -BinaryPathName '"C:\Program Files (x86)\FossilSCM\fossil.exe"
30 server --localhost --port 9000 --https --repolist "D:/Path/to/Repos"' -StartupType Automatic
31
32 ```
33
34 The use of `--localhost` means Fossil will only listen for traffic on the local
35 host on the designated port - 9000 in this case - and will not respond to
36 network traffic. Using `--https` will tell Fossil to generate HTTPS URLs rather
37 than HTTP ones.
38
39 `New-Service` does not automatically start a service on install, so you will
40 need to enter the following to avoid rebooting the server:
@@ -113,22 +113,16 @@
113 Now move `fossil-scm.key` and `fossil-scm.pem` to your stunnel config directory
114 (by default this should be located at `\Program Files (x86)\stunne\config`).
115
116 ## stunnel Configuration
117
118 Use the reverse proxy configuration given in the generic [Serving via
119 stunnel document](../any/stunnel.md#proxy). On Windows, the
120 `stunnel.conf` file is located at `\Program Files (x86)\stunnel\config`.
121
122 You will need to modify it to point at the PEM and key files generated
123 above.
 
 
 
 
 
 
124
125 After completing the above configuration restart the stunnel service in Windows
126 with the following:
127
128 ```PowerShell
129
M www/ssl.wiki
+1 -26
--- www/ssl.wiki
+++ www/ssl.wiki
@@ -211,36 +211,11 @@
211211
 it behind some kind of HTTPS proxy.
212212
213213
214214
 <h3 id="stunnel">stunnel Alone</h3>
215215
216
-[https://www.stunnel.org/ | <tt>stunnel</tt>] is an
217
-[https://en.wikipedia.org/wiki/Inetd | <tt>inetd</tt>]-like process that
218
-accepts and decodes TLS-encrypted connections. It can directly proxy
219
-Fossil communications, allowing secure TLS-encrypted communications to a
220
-Fossil repository server. You simply need to install <tt>stunnel</tt>
221
-and then place something like this in its main configuration file,
222
-<tt>stunnel.conf</tt>:
223
-
224
-<nowiki><pre>
225
- [https]
226
- accept = www.ubercool-project.org:443
227
- TIMEOUTclose = 0
228
- exec = /usr/bin/fossil
229
- execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https
230
-</pre></nowiki>
231
-
232
-The directory where that file goes varies between OSes, so check the man
233
-pages on your system to find out where it should be locally.
234
-
235
-See the <tt>stunnel</tt> documentation for further details about this
236
-configuration file.
237
-
238
-It is important that the [/help/http | <tt>fossil http</tt>] command in
239
-that configuration include the <tt>--https</tt> option to let Fossil
240
-know to use "<tt>https</tt>" instead of "<tt>http</tt>" as the URL
241
-scheme on generated hyperlinks.
216
+That's covered [./server/any/stunnel.md | elsewhere].
242217
243218
244219
 <h3 id="althttpd">stunnel + althttpd</h3>
245220
246221
 The public SQLite and Fossil web sites can't just use stunnel + Fossil
247222
--- www/ssl.wiki
+++ www/ssl.wiki
@@ -211,36 +211,11 @@
211 it behind some kind of HTTPS proxy.
212
213
214 <h3 id="stunnel">stunnel Alone</h3>
215
216 [https://www.stunnel.org/ | <tt>stunnel</tt>] is an
217 [https://en.wikipedia.org/wiki/Inetd | <tt>inetd</tt>]-like process that
218 accepts and decodes TLS-encrypted connections. It can directly proxy
219 Fossil communications, allowing secure TLS-encrypted communications to a
220 Fossil repository server. You simply need to install <tt>stunnel</tt>
221 and then place something like this in its main configuration file,
222 <tt>stunnel.conf</tt>:
223
224 <nowiki><pre>
225 [https]
226 accept = www.ubercool-project.org:443
227 TIMEOUTclose = 0
228 exec = /usr/bin/fossil
229 execargs = /usr/bin/fossil http /home/fossil/ubercool.fossil --https
230 </pre></nowiki>
231
232 The directory where that file goes varies between OSes, so check the man
233 pages on your system to find out where it should be locally.
234
235 See the <tt>stunnel</tt> documentation for further details about this
236 configuration file.
237
238 It is important that the [/help/http | <tt>fossil http</tt>] command in
239 that configuration include the <tt>--https</tt> option to let Fossil
240 know to use "<tt>https</tt>" instead of "<tt>http</tt>" as the URL
241 scheme on generated hyperlinks.
242
243
244 <h3 id="althttpd">stunnel + althttpd</h3>
245
246 The public SQLite and Fossil web sites can't just use stunnel + Fossil
247
--- www/ssl.wiki
+++ www/ssl.wiki
@@ -211,36 +211,11 @@
211 it behind some kind of HTTPS proxy.
212
213
214 <h3 id="stunnel">stunnel Alone</h3>
215
216 That's covered [./server/any/stunnel.md | elsewhere].
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
217
218
219 <h3 id="althttpd">stunnel + althttpd</h3>
220
221 The public SQLite and Fossil web sites can't just use stunnel + Fossil
222

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button